Effective date: June 12, 2026
This Privacy Policy explains how Rainier Watch ("we," "us," "our") collects, uses, and protects information when you use the Is The Mountain Out? website at isthemountainout.com and the Is The Mountain Out? iOS app (together, the "Service").
We built this Service for the community, and privacy is a core part of how it works. We collect as little as we can get away with, and we never sell what we do collect.
Location, in a privacy-preserving form. When you submit a report, your device computes a coarse hexagonal location (roughly a 100-meter cell) using the open-source H3 library, and only that cell is sent to our servers. Your raw GPS coordinates never leave your device. We never store your precise location.
Report content. The mountain visibility state you submit, optional photo, the H3 cell described above, and a timestamp.
Photo files and embedded EXIF. When you attach a photo to a report, we store the original image file you uploaded on our servers and serve it back to other users so the photo can appear in the public feed. We also separately extract the photo's EXIF metadata (including any embedded GPS coordinates, camera details, and capture time) into our database and use it internally to verify that the photo was taken near the reported location and to detect fraudulent reports.
The structured EXIF data we extract into our database is admin-only: it is not returned by any public API, not displayed in the feed, and not shared with other users. However, we do not currently strip EXIF metadata from the original image file before storing or serving it. If your photo had GPS or other EXIF metadata embedded when you uploaded it, that metadata may still be present in the file other users can download from the feed. If you want zero embedded location data leaving your device, strip EXIF from the photo on your device before uploading. We are tracking a server-side change to strip EXIF from originals on upload.
Account information (optional). If you create an account, we collect your email address, any profile details you choose to provide, and your communication preferences (newsletter opt-in, feature emails). Anonymous reporting from your device is also supported and does not require an account.
Device identifier and context. A randomly-generated, anonymous device token used to deduplicate reports and prevent abuse. The token is stored in a browser cookie (web) or the iOS Keychain (app). It is not linked to advertising identifiers (no IDFA / IDFV on iOS) or any other hardware-tied identifier. Alongside the token, we infer and store coarse device context (platform like iOS / macOS / Windows, browser name, operating system) from the User-Agent header for compatibility and analytics. Anonymous device records that have never been used (no reports submitted, no support requests, no other activity) are purged after 30 days. Anonymous device records that have submitted reports are retained alongside those reports as part of the historical community archive. They are not tied to your identity since no account is required for anonymous reporting.
Technical logs. Standard request logs (timestamp, IP address, user agent, URL) for security, abuse prevention, and debugging. Daily application log files are rotated after 14 days. Separately, failed CAPTCHA / Turnstile validations and other security-relevant events are recorded with IP, user agent, and (where applicable) email address in our security events table to support investigation of repeated abuse. These security event records are not currently on a fixed retention schedule and may persist beyond 14 days. Neither logs nor security events are used for advertising profiles.
App-specific data on iOS. If you use the iOS app, we additionally collect crash reports and anonymized product analytics events (screens visited, actions taken) via Sentry and PostHog. Analytics events never include H3 cells, raw coordinates, or user-provided text. The iOS app requests these permissions: Location (when-in-use) for computing the H3 cell on-device, Camera for capturing report photos, and Photo Library for selecting existing photos. You can revoke any of these in iOS Settings at any time.
Beta bug reports (iOS, TestFlight only). When you shake your device to send us a bug report during the iOS beta, the report includes your description, an optional screenshot, the iOS version, the app build, and the device model identifier (e.g. "iPhone16,1") so we can reproduce and fix the issue. We use this only for triage and never share it externally.
We do not sell your personal information. We do not share it with third parties for advertising.
We use the following service providers to operate the Service. Each has its own privacy policy.
We use a small number of cookies on the website:
_clck, _clsk, MUID, MR, and SM to provide anonymized session insights and heatmaps. See Microsoft's documentation of Clarity cookies for details.See the Cookies Policy for the full list.
Reports are retained indefinitely as part of the historical community archive. Individual reports are anonymous (no direct link to your identity) once submitted, so they remain part of the dataset.
Account data (email, profile) is retained as long as your account is active. You can request deletion at any time by emailing [email protected]. We will delete your account and disassociate your future reports within 30 days.
Logs are rotated after 14 days.
The Service is not directed at children under 13, and we do not knowingly collect personal information from children under 13. If we learn we have, we will delete it.
Depending on where you live, you may have legal rights regarding your personal information. We honor these requests for all users worldwide, not just those covered by a specific law.
To exercise any of these rights, email [email protected] from the email address associated with your account. We respond within 30 days. We may ask you to verify your identity to prevent unauthorized requests.
Our lawful bases for processing under the UK GDPR and EU GDPR are: (i) contract (account creation and operation of the Service), (ii) legitimate interests (security, fraud prevention, service improvement, the community archive), and (iii) consent (newsletter and feature-email opt-ins, where applicable). You can lodge a complaint with your local data protection authority if you believe we've mishandled your information, though we ask you to contact us first so we can try to resolve the concern.
In the past 12 months we have collected the categories of personal information described in "What we collect" above and used it for the purposes in "How we use what we collect." We have not sold or shared personal information. The "Rights you have" list above is your full set of CCPA / CPRA rights with us.
You may designate an authorized agent to make a request on your behalf. We will ask for written proof of the authorization and may still ask you to verify your identity directly.
We use industry-standard practices to protect data in transit (TLS) and at rest. No system is perfectly secure, but we work hard to keep your information safe.
If we make material changes to this policy, we will update the effective date at the top and (where appropriate) notify you via the Service or by email. Continued use of the Service after changes constitutes acceptance.
Questions, requests, or concerns? Email [email protected].